IETF Logo Mail Archive

Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1

Hubert Kario <hkario@redhat.com> Thu, 12 December 2019 15:58 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616BF12008D for <tls@ietfa.amsl.com>; Thu, 12 Dec 2019 07:58:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDzwfmQGIHbU for <tls@ietfa.amsl.com>; Thu, 12 Dec 2019 07:58:45 -0800 (PST)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305981200A1 for <tls@ietf.org>; Thu, 12 Dec 2019 07:58:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1576166324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0sKbZMMPG+rgrj82mmb1xiinod1GN8oVtx8wxVa8LNU=; b=Hn+Uj5ktfha5o2W9BUYkcf+5IqnUcBn5W7fTtVwoqgSi+yMqwJdi79ZqkE05mzYgB8lJNh mD1gqTacx1YWIyb8Sq7rfREx6rz+Yvkgwy11K6mQGNLu8SQWOdXSQWQNsebD6k5BGuoghR u7pp5t1Zu1vfiB1mJVGqmzHq/zFt7tk=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-182-Qo_tuoguPICUu-vc-DxXwQ-1; Thu, 12 Dec 2019 10:58:42 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B13E618AAFAF; Thu, 12 Dec 2019 15:58:41 +0000 (UTC)
Received: from localhost (unknown [10.43.21.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DE3D160BF3; Thu, 12 Dec 2019 15:58:40 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
Cc: tls@ietf.org
Date: Thu, 12 Dec 2019 16:58:39 +0100
MIME-Version: 1.0
Message-ID: <5b1ed226-ba32-496b-8afa-fbcd274b78d7@redhat.com>
In-Reply-To: <CAErg=HEDpupGjtXUjge-ytUchZ1G+K2=a2NS_TnF4p3PTJREVg@mail.gmail.com>
References: <843cc437-4c6d-43ce-b634-527a287c4e27@www.fastmail.com> <c4bab542-f1fd-4c80-89b8-1b7a3ef883a7@www.fastmail.com> <CAMfhd9W_+1i=Q48GKAxT=TtHm+fKxUKUepqCtfJ7xQ6LgM4h_w@mail.gmail.com> <CAEMoRCshwo1vsb+bYbJLpOCMWGcJ15sz8COXeXbxmX-KDbY8Mw@mail.gmail.com> <20191207102017.GA1754124@LK-Perkele-VII> <8f54acb3-61df-4617-b2c6-53b8c9021575@redhat.com> <20191211142155.GA1879660@LK-Perkele-VII> <CAF8qwaAHXGWwAswv8XfhjhN3fi7XtVSngLJY8sekYgX+u=wXVA@mail.gmail.com> <054bd0ed-6afe-4500-9339-16f414aa8840@redhat.com> <CAErg=HEDpupGjtXUjge-ytUchZ1G+K2=a2NS_TnF4p3PTJREVg@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7; Qt/5.12.5; xcb; Linux; Fedora release 30 (Thirty)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-MC-Unique: Qo_tuoguPICUu-vc-DxXwQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DpqSpWv78lsNKkoRgg2gOHV6nWg>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2019 15:58:47 -0000

On Thursday, 12 December 2019 16:26:41 CET, Ryan Sleevi wrote:
> On Thu, Dec 12, 2019 at 6:51 AM Hubert Kario <hkario@redhat.com> wrote:
>
>> If TLS 1.2 was looking insecure, I would be with you on this 
>> one. But given
>> that TLS 1.2 can be configured to be as secure as TLS 1.3, I think
>> introducing
>> weak points to TLS 1.3, weak points we will have to live with for the next
>> decade, if not two, is counter-productive and will only delay deployemnt
>> of
>> RSA-PSS capable HSMs. Not allowing PKCS#1 v1.5 in TLS 1.3 puts actual
>> pressure
>> to replace that obsolete hardware, without exposing users to unnecessary
>> risk.
>> 
>
> That risk calculus doesn't seem to make sense, or even be internally
> consistent?
>
> If we apply the logic you're applying here - that the non-existence within
> TLS 1.3 somehow exerts pressure on organizations to replace - then that
> pressure only exists because the value proposition of TLS1.3 to these
> organizations is greater than the cost of replacing that hardware. But as
> you seemingly state, the value proposition of TLS 1.3 is not significant,
> because "TLS 1.2 can be configured as secure as TLS 1.3". So what's the
> pressure these organizations would face that would have them wanting to
> adopt TLS1.3? It seems that, at least with the information provided, the
> existence or non-existence of PKCS#1v1.5 in TLS1.3 cannot be the force that
> exerts pressure.

a). configuring TLS 1.3 to be secure is easier - so using TLS 1.3 
automatically
    makes the use of it more secure
b). the evaluation I am performing is time dependant - i.e. I'm talking 
about
    situation as it is *now,* in the future the situation may change and 
TLS
    1.2 may become weak/insecure while TLS 1.3 will remain secure.

> Similarly, this argument implies organizations are rational actors that
> evaluate these protocols based on the security strength. If they are indeed
> rational, then the presumed weakness of PKCS#1v1.5 (and not TLS 1.2 vs TLS
> 1.3) would naturally exert a pressure on organizations to replace this
> hardware, in order to leverage the better security of RSA-PSS. Thus the
> existence within TLS1.3 does not actually meaningfully change the calculus
> for security or for organizational pressure.

c). non-use of TLS 1.3 by an organisation is something that will be easy to
    notice by an auditor, use of PKCS#1 v1.5 with client certificates is 
not
    something that I would bet any money to be noticed by a typical auditor
    (e.g. PCI-DSS never went into such details)

> Setting aside for a second arguments about whether RSA-PSS vs PKCS#1v1.5
> (in the context of client certificates) is a significant security
> differentiator, or whether the security properties of TLS1.2 vs TLS1.3 is
> are significant enough to exert pressure, it also seemingly overlooks the
> privacy value afforded by TLS1.3's encryption.

it doesn't, because deploying renegotiation in TLS 1.2 to encrypt client
certificates is neither complex nor unheard-of

> If we're trying to make cost-based assumptions here about what pressures
> will be exerted, I feel like we have ample evidence from the TLS 1.3
> adoption that benefits in security and privacy do not actually exert
> pressures on organizations to change, because the incremental value they
> provide is outweighed by the costs. The middlebox challenges are a
> case-study in this. This draft attempts to reduce those costs, making it
> possible to take advantage of those incremental improvements made in 1.3.

middleboxes affect many connections, client certificates are used by small
minority of connections in very special deployments

> The distinction isn't going from good to going from bad, which seems to be
> implied by arguing against adoption, it's going from worse (TLS1.2, with no
> privacy affordances and the ample considerations around the key schedules)
> to something meaningfully better (TLS1.3), even if it's not ideal.

my argument is that TLS 1.2 is only potentially worse, not provably worse, 
at
least now
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email